T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical - - PDF document

1

1

T-79.159 Cryptography and Data Security

Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction to modern cryptographic primitives Kaufman et al: Chapter 2 Stallings: Chapter 2

2

2.1 Classical Cryptosystems

Ceasar Cipher, or Shift Cipher Plain: meet me after the toga party Cipher: PHHW PH DIWHU WKH WRJD SDUWB Alphabets Plain: abcdefghijklmnopqrstuvwxyz Cipher: ABCDEFGHIJKLMNOPQRSTUVWXYZ Or, Plain: 0123456789... 24,25 Cipher: 0123456789... 24,25 Substitution is a mapping from ”Plain” to ”Cipher”

2

3

Caesar cipher p = plaintext letter, {0,1,2,…,25} ∋ p C = ciphertext letter , {0,1,2,…,25} ∋ C Caesar substitution E E: C = E(p) = (p + 3) mod 26 0 -> 3; 1 -> 4; … 22 -> 25; 23 -> 0; 24 -> 1; 25 -> 2 Caesar substitution, inverse transformation D D: p = D(C) = (C – 3) mod 26 0 -> 23; 1 -> 24; 2-> 25; 3 -> 0; … ; 25 -> 22

4

Brute force cryptanalysis of shift cipher Shift cipher: E: C = E(p) = p + K mod 26 K = key; {0,1,2,3,…,25} ∋ K We need only some piece of ciphertxt to do exhaustive search K PHHW PH DIWHU WKH WRJD SDUWB 1

• ggv ..

2 nffu .. 3 meet me after the toga party

3

5

Monoalphabetic substitution Alphabets Plain: abcdefghijklmnopqrstuvwxyz Cipher: ABCDEFGHIJKLMNOPQRSTUVWXYZ Key = permutation of the 26 characters Size of key space 26! ≅ 4 x 1026 Cryptanalysis based on statistical properties of the plaintext

6

Relative Frequency of Letters in English Text

2.406 M 4.025 L 0.772 K 0.153 J 6.996 I 6.094 H 2.015 G 2.228 F 12.702 E 4.253 D 2.782 C 1.492 B 8.167 A 0.074 Z 1.974 Y 0.150 X 2.360 W 0.978 V 2.758 U 9.056 T 6.327 S 5.987 R 0.095 Q 1.929 P 7.507 O 6.749 N

4

7

Ciphertext obtained from a Substitution Cipher

YIFQF MZRWQ FYVEC FMDZP CVMRZ WNMDZ VEJBT XCDDU MJNDI FEFMD ZCDMQ ZKCEY FCJMY RNCWJ CSZRE XCHZU NMXZN ZUCDR JXYYS MRTME YIFZW DYVZV YFZUM RZCRW NZDZJ JXZWG CHSMR NMDHN CMFQC HZJMX JZWIE JYUCF WDJNZ DIR

8

Frequency table

16 M L 1 K 11 J 5 I 4 H 1 G 11 F 7 E 13 D 15 C 1 B A 20 Z 10 Y 6 X 8 W 5 V 5 U 2 T 3 S 10 R 4 Q 1 P O 9 N

5

9

Simple substitution: frequency analysis cont’d The most frequent character: Z The most frequent character in English: e Guess: D(Z) = e The next most frequent characters {M,C,D,F,J,R,Y,N} The next most frequent characters in English {t,a,o,i,n,s,h,r} The most frequent digrams with Z are: DZ, ZW (4 times); NZ,ZU (3 times); RZ,HZ,XZ,FZ,ZR,ZV,ZC,ZD (two times each)

10

Using comon digrams… NZ is common but ZN occurs only once; guess D(N) = h ZW is common and WZ not at all and W is rare; guess D(W) = d DZ(4 times) and ZD (2 times) are both common we guess {r,s,t} ∋ D(D) ZRW and RZW occur, and RW occurs, and R is frequent we guess D(R) = n

6

11

Now we have

end e ne dh e YIFQF MZRWQ FYVEC FMDZP CVMRZ WNMDZ VEJBT h e e nh d XCDDU MJNDI FEFMD ZCDMQ ZKCEY FCJMY RNCWJ en e h eh n n ed CSZRE XCHZU NMXZN ZUCDR JXYYS MRTME YIFZW e e ne nd he e ed n h h DYVZV YFZUM RZCRW NZDZJ JXZWG CHSMR NMDHN e ed d he n CMFQC HZJMX JZWIE JYUCF WDJNZ DIR ne_ndhe suggests that D(C) = a

12

end a e a ne dh e YIFQF MZRWQ FYVEC FMDZP CVMRZ WNMDZ VEJBT a h ea ea a nhad XCDDU MJNDI FEFMD ZCDMQ ZKCEY FCJMY RNCWJ a en a e h eh a n n ed CSZRE XCHZU NMXZN ZUCDR JXYYS MRTME YIFZW e e neand he e ed a n h h DYVZV YFZUM RZCRW NZDZJ JXZWG CHSMR NMDHN a a e ed a d he n CMFQC HZJMX JZWIE JYUCF WDJNZ DIR nh_ decrypts to RNM suggests that D(M) = i or o

7

13

We have

iend a i e a ine dhi e YIFQF MZRWQ FYVEC FMDZP CVMRZ WNMDZ VEJBT a i h i ea i ea a i nhad XCDDU MJNDI FEFMD ZCDMQ ZKCEY FCJMY RNCWJ a en a e hi eh a n in i ed CSZRE XCHZU NMXZN ZUCDR JXYYS MRTME YIFZW e e i neand he e ed a in hi h DYVZV YFZUM RZCRW NZDZJ JXZWG CHSMR NMDHN ai a e i ed a d he n CMFQC HZJMX JZWIE JYUCF WDJNZ DIR Guess {D,F,J,Y} ∋ E(o), then Y is the most likely

14

• iend
• a i e a ine dhi e

YIFQF MZRWQ FYVEC FMDZP CVMRZ WNMDZ VEJBT a i h i ea i ea o a io nhad XCDDU MJNDI FEFMD ZCDMQ ZKCEY FCJMY RNCWJ a en a e hi eh e a n oo in i o ed CSZRE XCHZU NMXZN ZUCDR JXYYS MRTME YIFZW

• e o e i neand he e ed

a in hi h DYVZV YFZUM RZCRW NZDZJ JXZWG CHSMR NMDHN ai a e i ed

• a d he n

CMFQC HZJMX JZWIE JYUCF WDJNZ DIR Remaining {D,F,J} possibly decrypt to {r,s,t }

8

15

Remaining {D,F,J} possibly decrypt to {r,s,t }

• r r iend

ro a rise a ine dhise t YIFQF MZRWQ FYVEC FMDZP CVMRZ WNMDZ VEJBT ass iths r ris easi ea rati nhadt XCDDU MJNDI FEFMD ZCDMQ ZKCEY FCJMY RNCWJ a en a e hi eh asn t oo in i o red CSZRE XCHZU NMXZN ZUCDR JXYYS MRTME YIFZW so e re i neand heset ed a in his h DYVZV YFZUM RZCRW NZDZJ JXZWG CHSMR NMDHN air a eti ted to ar dsthe s n CMFQC HZJMX JZWIE JYUCF WDJNZ DIR

16

Try D(Q) = f and so on ..

• rfr iendf ro a rise

a ine dhise t YIFQF MZRWQ FYVEC FMDZP CVMRZ WNMDZ VEJBT ass iths r ris easif ea o ratio nhadt XCDDU MJNDI FEFMD ZCDMQ ZKCEY FCJMY RNCWJ a en a e hi eh asn t oo in i o red CSZRE XCHZU NMXZN ZUCDR JXYYS MRTME YIFZW so e ore i neand heset ed a in his h DYVZV YFZUM RZCRW NZDZJ JXZWG CHSMR NMDHN airfa eti ted to ar dsthe s n CMFQC HZJMX JZWIE JYUCF WDJNZ DIR

9

17

• urfr iendf ro a rise

a ine dhise t YIFQF MZRWQ FYVEC FMDZP CVMRZ WNMDZ VEJBT ass ithsu r ris easif ea

• ratio nhadt

XCDDU MJNDI FEFMD ZCDMQ ZKCEY FCJMY RNCWJ a en a e hi eh e asn t oo in i oured CSZRE XCHZU NMXZN ZUCDR JXYYS MRTME YIFZW so e ore i neand heset t ed a in his h DYVZV YFZUM RZCRW NZDZJ JXZWG CHSMR NMDHN airfa eti tedu to ar dsthe sun CMFQC HZJMX JZWIE JYUCF WDJNZ DIR

18

• urfr iendf rom a rise

amine dhise m t YIFQF MZRWQ FYVEC FMDZP CVMRZ WNMDZ VEJBT ass ithsu r ris easif ea

• ratio nhadt

XCDDU MJNDI FEFMD ZCDMQ ZKCEY FCJMY RNCWJ a en a e hi eh e asn t oo in i oured CSZRE XCHZU NMXZN ZUCDR JXYYS MRTME YIFZW somem ore i neand heset t ed a in his h DYVZV YFZUM RZCRW NZDZJ JXZWG CHSMR NMDHN airfa eti tedu to ar dsthe sun CMFQC HZJMX JZWIE JYUCF WDJNZ DIR

10

19

• urfr iendf rompa risex amine dhise mptyg

YIFQF MZRWQ FYVEC FMDZP CVMRZ WNMDZ VEJBT lassw ithsu rpris easif evapo ratio nhadt XCDDU MJNDI FEFMD ZCDMQ ZKCEY FCJMY RNCWJ akenp lacew hileh ewasn tlook ingip oured CSZRE XCHZU NMXZN ZUCDR JXYYS MRTME YIFZW somem orewi neand heset tledb ackin hisch DYVZV YFZUM RZCRW NZDZJ JXZWG CHSMR NMDHN airfa cetil tedup towar dsthe sun CMFQC HZJMX JZWIE JYUCF WDJNZ DIR

20

Playfair Cipher

Z X W V U T S Q P L K I/J G F E D B Y H C R A N O M Plaintext formatting

• o -> oxo

Regular case

hs -> BP ea -> IM

Same row or column

ar -> RM mu -> CM The encryption rules

11

21

Hill Cipher

k34 k32 k31 k23 k22 k21 k13 k12 k11 p3 p2 p1 c3 c2 c1 = x mod 26

Plain: triples of numbers in {0,1,2,…,25} Cipher: triples of numbers in {0,1,2,…,25} Key: 3x3 matrices with entries in {0,1,2,…,25} Arithmetic as in shift cipher plus multiplication

22

Polyalphabetic ciphers: Vigenère

Plain and Cipher: finite sequences of characters in {0,1,2,…,25} Key of period q : k1 k2 k3 … kq-1 kq sequences of length q of characters in {0,1,2,…,25} Encryption: c1 = (p1 + k1 )mod 26 cq+1 =(pq+1 + k1 )mod 26 c2 = (p2 + k2 )mod 26 cq+2 = (pq+2 + k2 )mod 26 ... ... cq = (pq + kq )mod 26 c2q = (p2q + kq )mod 26 and so on..

12

23

Polyalphabetic ciphers: Vigenère Example

• urfr iendf rompa risex amine dhise mptyg

sprin gspri ngspr ingsp rings pring sprin GJINE OWCUN EU... .. Note the repetition of a two character string resulting from a repetition in the plaintext!

24

Kasiski’s method to determine the period

• Many strings of characters repeat themselves in natural

languages.

• Assume the interval between occurence of a string is a

multiple of the period length.

• Then a repetition of a character string of the same length
• ccurs in the ciphertext.
• By detecting repetitions of strings in the ciphertext one can

find the period as the greatest common divisor (GCD) of the repetition intervals

• Their may be false repetitions. The longer the repeating string

the more significant it is. Repeating strings of length ≥ 3 are the most significant.

13

25

One Time Pad

• Claude Shannon laid (1949) the information theoretic

fundamentals of secrecy systems.

• Shannon’s pessimistic inequality: For perfect secrecy

you need as much key as you have plaintext.

• An example of a cipher which achieves perfect secrecy

is the One Time Pad ci = (pi + ki )mod 26 where the key is a string of characters k1 k2 k3 … ki chosen uniformly at random.

• Practical ciphers do not provide perfect secrecy

26

2.2 Introduction to contemporary cryptographic primitives

• Secret key (symmetric) primitives

– Block cipher – Stream cipher – Integrity primitives

• Message authentication code
• Hash functions
• Public key (asymmetric) primitives

– Public key encryption scheme – Digital signature scheme

14

27

Primitives and protocols

• Cryptographic primitives and functions are used as

building blocks of cryptographic protocols

• For example,

1) A stream cipher primitive is the basic building block

• f an encryption protocol

2) A message authentication code is the basic building block of an authentication protocol

28

Man-made vs. Math-made

Symmetric primitives are

• based on man-made constructions.
• Fast and easy to implement in sofware and hardware
• Short keys

Asymmetric (public key primitives) are

• Based on mathematical construction and their security is derived

from infeasibility of som computationally hard problem.

• Slow and difficult to implement (both in sofware and hardware)
• Long keys and parameters

Note: it would be possible to construct symmetric primitives based on mathematics, but they are not used in practise because they are not efficient compared to symmetric primitives

15

29

Block ciphers

Confidentiality primitive

• Threat: retrieve the plaintext from the ciphertext without the

knowledge of the key.

• Security goal: protect against this threat.

Plaintext P: strings of bits of fixed length n Ciphertext C: strings of bits of the same length n Key K: string of bits of fixed length k Encryption transformations: For each fixed key the encryption operation EK is one-to-one (invertible) function from the set of plaintexts to the set of ciphertext. That is, there exist an inverse transformation, decryption transformation DK such that for each P and K we have: DK ( EK (P ) ) = P (Message , Secret key ) Ciphertext (Ciphertext, Secret key ) Message

30

Block ciphers, security

• Security is measured in terms of time: How long it

takes to break the cipher using available resources.

• Upperbound
• f security: The time complexity of

exhaustive key search, which is equal to 2k, with key length of k bits.

• A second upperbound: 2n/2 , with block length n (due to

Birthday paradox, to be explained later)

• If an attack leads to a break, in time 2t, where t < k,

then the cipher is said to be theoretically broken, and that the effective key length of the cipher is reduced to

• t. (This does not mean that the cipher is broken in

practise unless t is very small.)

16

31

Block ciphers, design principles

• The ultimate design goal of a block cipher is to use the

secret key as efficiently as possible.

• Confusion and diffusion (Shannon)
• New design criteria are being discovered as response

to new attacks.

• A state-of-the-art block cipher is constructed taking

into account all known attacks and design principles.

• But no such block cipher can become provably secure,

it may remain open to some new, unforeseen attacks.

• Common constructions with iterated round function

– Substitution permutation network (SPN) – Feistel network

32

Attack on block ciphers

• Ciphertext only attack: The attacker has access to some

amount of ciphertext and also knows something about the nature of the plaintext, which is not perfectly random.

• Known plaintext attack: The attacker has access to

some amount of plaintext and the corresponding ciphertext.

• Chosen plaintext attack: The attacker is able to choose

some amount of plaintext and obtains the corresponding ciphertext.

• Adaptively chosen plaintext attack. The attacker is able

to choose some amount of plaintext in parts, and obtain the corresponding ciphertext, where the choice of each new part of plaintext is influenced by all previously

• btained ciphertext.
• Chosen ciphertext and adaptive chosen ciphertext

attacks: Similar to the chosen plaintext attacks but now with the roles of plaintext and ciphertext reversed.

17

33

Stream ciphers

• Stream ciphers are generally faster than block ciphers, especially

when implemented in hardware.

• Stream ciphers have less hardware complexity.
• Stream ciphers can be adapted to process the plaintext bit by bit, or

word by word, while block ciphers require buffering to accumulate the full plaintext block.

• Synchronous stream ciphers have no error propagation; encryption

is done character by character with keys Ki that are independent of the data Ci = EKi(Pi )

• Function E is simple, the function which computes the key

sequence is complex

• Example: Vigenère cipher, One Time Pad

Ci = (Pi + Ki )mod 26

34

Stream cipher encryption

Secret key Key stream (Key stream , Message) Ciphertext Secret key Key stream (Ciphertext, Key stream ) Message

18

35

Stream ciphers: Security

• Known plaintext gives known key stream. Chosen plaintext gives

the same but nothing more.

• Chosen ciphertext attack may be a useful method for analysing a

self-synchronising stream cipher.

• The attacker of a stream cipher may try to find one internal state
• f the stream cipher to obtain a functionally equivalent algorithm

without knowing the key.

• Distinguishing a key stream sequence from a truly random

sequence allows also the keystream to be predicted with some

• accuracy. Such attack is also called prediction attack.

Requirements:

• Long period
• A fixed initialisation value the stream cipher generates a different

keystream for each key.

36

Stream ciphers: Designs

Linear feedback shift register (LFSR). LFSRs are often used as the running engine for a stream cipher. Stream cipher design based on LFSRs uses a number

• f different LFSRs and nonlinear Boolean functions

coupled in different ways. Three common LFSR-based types of stream cipher can be identified:

– Nonlinear combination generators: The keystream is generated as a nonlinear function of the outputs of multiple LFSRs – Nonlinear filter generators: The keystream is generated as a nonlinear function of stages of a single LFSR. – Clock controlled generators: In these constructions, the necessary nonlinearity is created by irregular clocking of the

• LFSRs. The GSM encryption algorithm A5/1 is an example of a

stream cipher of this type.

19

37

Message authentication codes (MAC)

• A MAC of a message P of arbitrary length is computed as a

function HK(P) of P under the control of a secret key K.

• The MAC length m is fixed.
• Security requirement: it must be infeasible, without the knowledge
• f the secret key, to determine the correct value of HK(P) with a

success probability larger than 1/2m. This is the probability of simply guessing the MAC value correctly at random. It should not be possible to increase this probability even if a large number of correct pairs P and HK(P) is available to the attacker. (Secret key , Message) MAC (Secret key , Message) MAC

38

Message authentication codes (MAC)

• Similarly as block ciphers, MAC algorithms operate on

relatively large blocks of data. Most MACs are iterated

• constructions. The core function in the MAC algorithm is a

compression function. At each round the compression function takes a new data block and compresses it together with the compression result from the previous rounds. Hence the length of the message to be authenticated determines how many iteration rounds are required to compute the MAC value.

• Given a message X and its MAC value H, it can be verified by

anybody in possession of the secret key K and the MAC computation algorithm.

20

39

Hash functions

• A hash code of a message P of arbitrary length is computed as a

function H(P) of P . The hash length m is fixed.

• Security requirements:
• 1. Preimage resistance: Given h it is impossible to find P such

that H(P) = h

• 2. Second preimage resistance: Given P it is impossible to find P’

such that H(P’) = H(P)

• 3. Collision resistance: It is impossible to find P and P’ such that

P ≠ P’ and H(P’) = H(P) Message Hash code Message Hash code

40

Hash functions

• Similarly as MAC algorithms, hash functions operate on relatively

large blocks of data. Most hash functions are iterated

• constructions. The core function in a hash function is a

compression function. At each round the compression function takes a new data block and compresses it together with the compression result from the previous rounds. Hence the length of the message to be authenticated determines how many iteration rounds are required to compute the MAC value.

• Hash function is public: Given a message P anybody can compute

the hash code of P.

21

41

Public key encryption

• Slow, usually used to encrypt short messages in more complex

protocols than just bulk message encryption: authentication, key agreement etc.

• Because of the mathematics involved, complex message formatting

rules (with hash functions) are required.

• Chosen ciphertext attacks maybe an essentially more serious threat

than chosen plaintext (for symmetric block ciphers they are about the same). We will see an example later.

• RSA, ElGamal in different groups, Pairing based techniques …

(Message , Public key ) Ciphertext (Ciphertext , Private key ) Message

42

Digital signatures

• Important primitive; the only one to provide non-repudiation.
• Slow, message are signed by applying the digital signture operation on a

fixed length hash of the message.

• Used for

– message authentication protocols – non-repudiation protocols – authentication and key agreement – commitment schemes – …

• RSA, ElGamal in different groups, Schnorr, DSA, Pairing based techniques

(Message , Private key ) Signature (Signature , Public key ) Validity (1 bit)